Imagine receiving a notification from Nubank with a transaction you don’t recognize. A headache like that to solve, you think. Soon after, a message arrives from Shoptime asking you to confirm a purchase at the same amount. But you didn’t buy anything. How is this possible? That’s what happened to a reader of Techblog. And apparently with more people.
The order was for a smartphone with a value of around R$1,500. The delivery address was in a state far from where reader Amarildo resides.
When trying to find the purchase, however, he found that his store account was intact. Whoever placed the order “cloned” their registration: a new account was created with name, telephone and CPF. The only difference was the e-mail, which was not from him, but from a family member who has a similar name.
With the help of this family member, the reader was able to reset the password of his “pirate” registration, found the order and contacted the company, which solved the problem.
Complain Here you have similar reports
Amarildo was able to cancel the order and suspend credit card charges. In the contact, Shoptime said that it has placed the cloned record in a list of suspects and that it will no longer accept orders with those data.
A search on Reclame Aqui, however, shows that Amarildo was not the only person affected by the practice: there are more similar reports involving Shoptime, Americanas and Submarino, which are all from the same group, the former B2W, now Americanas SA
In some cases, the action was more direct: they simply invaded the accounts and placed orders right there, with the victims’ or third-party cards, changing only the address.
A customer from Vila Velha (ES) complains that his Submarino account was improperly accessed and that two orders were placed — one of them was even shown as already delivered. The store solved the problem.
In another episode, a consumer from Praia Grande (SP) also reports an attempt to purchase a smartphone in his registration at Americanas, using his virtual credit card. The company also resolved the complaint and said it was a “digital security breach”, which would be forwarded to the IT sector.
There is also a case in Salvador (BA), in which the invaders tried to buy an Apple headset with the card registered with Americanas. The company responded, and there is no information from the client about the outcome of the story.
Americanas partner cards suffered fraud
It is not the first time that Americanas’ online retail brands have been the target of complaints. In March of this year, clients of Banco Cetelem — which issues the Americanas, Submarino and Shoptime cards — complained about transactions made without their authorization.
At the time, customers received notifications of improper purchases in amounts of around R$1,000. They also reported difficulties and delays in service by Cetelem.
Shoptime does not check CPF of new registration
In conversation with the Techblog, reader Amarildo comments that he found it strange to be able to create a new registration with the same CPF, without verification.
In fact, you can do that: I myself managed to create a second account on Shoptime and Americanas with my document and another email. Other stores, such as Magazine Luiza and Extra, for example, do not allow this operation.
After being contacted, Americanas, owner of Shoptime, did not manifest itself until the publication of this report.
What the consumer must do
In conversation with the Techblog, the director of Procon-SP, Fernando Capez, recommends that the entity be contacted in cases of this type. He points out that the agency reports such incidents to the National Data Protection Authority (ANPD), the agency responsible for supervising and applying the sanctions provided for in the General Data Protection Law (LGPD).
“If the data controller lets this leak, this flaw needs to be investigated and investigated”, says Capez. He also recalls that, since August, companies have been obliged to report security incidents to ANPD.
The director of Procon-SP emphasizes the importance of the agency’s mediation to apply penalties, in case something goes wrong in the company’s operation.
The consumer protection entity does not have the power to collect damages, but the complaint and the administrative process can serve as a basis for bringing justice, if the consumer feels aggrieved.